The Iran-linked, espionage-focused advanced threat group known as APT33 has been spotted using more than a dozen obfuscated botnets to carry out narrowly targeted attacks against government and academic targets in the Middle East, the U.S. and Asia.
Each botnet, linked to its own command-and-control (C2) server, comprises a small group of up to a dozen infected computers, which are being used to gain persistence within the networks of select targets, according to researchers from Trend Micro. As of last month, researchers counted 10 live bot C2s in active operation.
The goal appears to be to establish a backdoor: “The malware is rather basic and has limited capabilities that include downloading and running additional malware,” the researchers said.
The firm has seen two separate campaigns taking aim at a private American company that “offers services related to national security,” it said, as well as victims at a university and a college in the U.S., a victim most likely related to the U.S. military, and several other victims in the Middle East and Asia.
An analysis, posted on Thursday, showed that the C2 domains are usually hosted on cloud hosted proxies, which relay URL requests from the infected bots to backends at shared webservers (which may also be hosting thousands of legitimate domains).
“The backends report bot data back to a data aggregator and bot control server that is on a dedicated IP address,” according to Trend Micro’s report. “The APT33 actors connect to these aggregators via a private VPN network with exit nodes that are changed frequently. The APT33 actors then issue commands to the bots and collect data from the bots using these VPN connections.”
Private VPNs
The use of commercial VPN services by cybercriminals is fairly common, as they try to hide their activities from analysis. However, Trend Micro found that APT33 is opting to use private VPN networks that it sets up for itself.
“Setting up a private VPN can be easily done by renting a couple of servers from datacenters around the world and using open source software like OpenVPN,” the researchers wrote. “Though the connections from private VPN networks still come from seemingly unrelated IP addresses around the world, this kind of traffic is actually easier to track. Once we know that an exit node is mainly being used by a particular actor, we can have a high degree of confidence about the attribution of the connections that are made from the IP addresses of the exit node.”
Connections to Other Attacks
The same private VPN exit nodes observed in the botnet campaigns are also being used to carry out a range of other malicious activities, according to Trend Micro. These include doing reconnaissance on an oil exploration company and on military hospitals in the Middle East, and on an oil company in the U.S; accessing websites of penetration testing firms; surfing sites that specialize in the recruitment of employees in the oil and gas industry; and hacking websites related to cryptocurrencies.
APT33 has changed up its tactics this year, after a March report exposed its infrastructure and operations; a Symantec report exposed a three-year campaign against multiple firms in Saudi Arabia and the United States.
In the wake of that, Recorded Future researchers said that they soon saw that APT33 had reassigned its key domain infrastructure and started using a new remote access trojan (RAT) not previously associated with the group.
APT33 has also been executing more aggressive attacks over the past few years, resulting in “concrete infections,” according to Trend Micro. Targets include a water facility that is used by the U.S. army for the potable water supply of one of its military bases. And, in fall 2018, the firm saw communications between a UK-based oil company with computer servers in the UK and India and an APT33 C2 server.
“Another European oil company suffered from an APT33 related malware infection on one of their servers in India for at least three weeks in November and December 2018,” according to Trend Micro. “There were several other companies in oil supply chains that had been compromised in the fall of 2018 as well. These compromises indicate a big risk to companies in the oil industry, as APT33 is known to use destructive malware.”
To that point, in 2018 the APT was seen targeting petrochemical, aerospace and energy sector firms based in U.S., Saudi Arabia and South Korea with the StoneDrill wiper malware—a variant of the infamous Shamoon 2 – in a departure from its typical espionage activities.
